The New Economy's dirty little secret

Credit crooks prey on consumers transacting online

By

JayMacDonald

NORTH PALM BEACH, Fla. (Bankrate.com) -- Where there's a web, chances are there's a spider.

Where there's a World Wide Web, there are criminals ready and able to perpetrate all sorts of havoc, from using your credit card number to ship dozens of computers overseas on your tab to hacking into customer databases, obtaining thousands of valid card numbers and using them to extort fortunes from their stunned corporate victims.

Internet fraud is the dirty little secret of the New Economy. For every well publicized Ebay or Egghead hacker attack, others go unreported, the corporate chiefs preferring to quietly pay the ransom rather than risk scaring off potential online customers with the negative publicity.

Nobody wants to cut e-commerce off at the knees just as it's getting on its feet. Credit card issuers, acquirers, processors, merchants and consumers alike welcome the convenience of online, real time transactions.

The problem is, so do the crooks.

"The criminals are going to go where the money is, and a lot of money right now is in e-commerce," says Jeff Winter, spokesman for the U.S. Secret Service Office of Investigations. "It's anonymous and it's extraordinarily lucrative.

"The criminals are going to go where the money is, and a lot of money right now is in e-commerce."
Jeff Winter,U.S. Secret Service Office of Investigations

"Robbing a bank these days is not as appealing. When you go in and you've got cameras looking at you, you know you're going to get caught and you're only going to get a couple thousand dollars. On one stolen credit card alone, on average you can get $3,000 with a skimming device. In a lot of ways, it's the bank robbery of the future."

The way crooks steal today will determine in part how we buy and sell tomorrow.

"Skimming" and "cloning"

Credit card fraud has been something of a technological foot race since the first charge cards came into existence 50 years ago.

Over the years, card issuers have added increasingly sophisticated security measures, from a simple cardholder signature on the first cards to the embossed account numbers, embedded holograms, magnetic stripes and card verification code/card verification values on today's cards.

They did their job pretty well, particularly to combat fraud from lost and stolen cards, which account for more than half of all credit card crime.

But many of those anti-fraud measures went out the window when mail order/telephone order transactions became widespread in the 1980s. The sudden growth that resulted from consumer confidence in that sales channel more than offset the increased risk of card-not-present transactions.

It also opened a lucrative new opportunity for fraud. The bad guys no longer needed the physical card to pillage your account; a valid number suffices in most cases.

Skimming uses an electronic credit card reader or "wedge" roughly the size of a pager to collect and store the information encoded on your card's magnetic stripe. The device is commonly used in places with high customer traffic such as retail stores and restaurants where the skimmer can collect card data without fear of detection. Card readers are widely available for legitimate purposes for under $300; tampering turns them into skimmers.

Terminal cloning is a more sophisticated computer scam in which the software that runs a merchant's point-of-sale terminal is actually diverted and downloaded to the criminal's computer, enabling them to, in effect, ring up fraudulent card transactions on that merchant's account.

Factoring is a scam that typically targets mom-and-pop merchants. The unsuspecting merchant will be approached by another vendor who claims to be unable to process transactions for any number of reasons. The merchant agrees to process the vendor's sales for a small percentage, the money is wired by the criminal to another account and the merchant is left with a pile of chargebacks.

Acceptable losses

Frank D'Angelo, senior vice president and general manager of electronic funds transfer and card solutions for Metavante Corp., a Wisconsin-based financial technology company, says the credit card industry long ago adopted a philosophy of acceptable loss with regard to fraud.

"It's hard to prevent fraud," he admits. "They're going to get you for the $25 initial try. Most of the energy is spent on the detection of fraud and limiting the loss."

Because merchants ultimately take the hit, Metavante and others continually urge them to watch for these warning signs of a fraudulent online purchase:

Unusually large dollar amount or number of sales to the same card number

Same dollar amount on multiple or sequential sales orders

Same card number on multiple or sequential sales orders

Sequential sales orders to accounts with the same BIN number

Shipping and billing address don't match

Orders shipping to high-risk foreign destinations

Orders from free e-mail addresses (difficult to trace)

"The various providers of credit cards have really been fighting for market share. They really loosened up their standards to some extent in penetrating new markets such as college kids to get more cards on the street," says D'Angelo.

"That created some additional fraud opportunities. The credit card industry is still very profitable, the debit card industry is still very profitable, but the opportunity has increased for fraud because the crooks are just as smart as the good guys."

There have been efforts to shore up security. Merchants are urged to use the address verification system on card-not-present transactions, but it doesn't work with foreign cards. Visa came up with a Secure Electronic Transaction online security protocol in addition to the more commonplace Secure Socket Layer, but it hasn't caught on with merchants so far.

Your money or your privacy

As long as fraud losses trail well behind credit card volume, card issuers are unlikely to do much more than shadowbox with it, according to David Sorkin, director of the Center for Information Technology and Privacy Law at John Marshall Law School in Chicago.

"Transparency is important for consumer confidence. The simpler the system, the easier it is to make it transparent to people," he says.

"Right now, businesses as well as credit card issuers are really going out on a limb to push for acceptance of online transactions and promote consumer confidence. They are not really charging discount rates that reflect the increased risk yet because they want consumers to use their cards online."

Merchants, on the other hand, have a very real stake in knowing a little more about who's at the other end of that online transaction. Sorkin says don't be surprised if that online vendor follows up on your next major purchase with a few additional questions.

"I think that's quite possible," says Sorkin. "Now, in a lot of cases, you may have to supply a street address and they'll verify that, where you probably wouldn't need it for a card-present transaction. It is certainly possible that they'll extend upon that by asking for a phone number.

"I don't think they'll go so far as to ask for a mother's maiden name or Social Security number, but it wouldn't surprise me to see them add to that list."

"The other part of the story is you have inherently violent criminals now who are getting into what has traditionally been called white-collar crime," says Winter.

Meaning organized crime?

"No question. Absolutely. That's a big part of it now. Most of it is organized crime.

"The difficulty with technology, financial crimes and cybercrime in general nowadays is the traditional venues of jurisdiction are blurred," he adds. "The crime may be committed here but then it's sent overseas. Sometimes the crime occurs overseas but the companies in the U.S. are being hit.

"With the evolution of our payment systems, we've become more and more involved as an investigative unit. We're beefing up big-time."

Intraday Data provided by SIX Financial Information and subject to terms of use. Historical and current end-of-day data provided by SIX Financial Information. All quotes are in local exchange time. Real-time last sale data for U.S. stock quotes reflect trades reported through Nasdaq only. Intraday data delayed at least 15 minutes or per exchange requirements.